17 votes

Generated passwords, UX and security absolutism

7 comments

  1. vord
    Link
    Fantastic write-up that I'll be using at work sometime. We have "security experts" who are definitely security absolutists who sometimes can't see the forest for the trees.

    Fantastic write-up that I'll be using at work sometime.

    We have "security experts" who are definitely security absolutists who sometimes can't see the forest for the trees.

    4 votes
  2. [5]
    arp242
    Link
    My app implements auth purely email-basis: there are no passwords; you enter your email to to log in and you'll be sent a magic link. In many ways, it's similar to the method discussed here. I...

    My app implements auth purely email-basis: there are no passwords; you enter your email to to log in and you'll be sent a magic link. In many ways, it's similar to the method discussed here.

    I didn't implement it for security reasons, just because I prefer to work on actual useful stuff, instead of user management. I don't think it's that big of an "UX nightmare" as it's made out to be. In practice, people tend to log in very rarely.

    Undelivered emails can be a problem; I might add auth based on other methods too (SMS/Telegram/WhatsApp/whatever else is reasonably easy).

    4 votes
    1. [3]
      emdash
      Link Parent
      Highly recommend implementing RFC6238-compliant TOTP or WebAuthn over SMS, if you get the opportunity.

      Highly recommend implementing RFC6238-compliant TOTP or WebAuthn over SMS, if you get the opportunity.

      2 votes
      1. [2]
        arp242
        Link Parent
        TOTP is an entirely different workflow, and the WebAuthn demo doesn't even work for me (never mind the implementation details). Emails (or Telegram messages) with a link work just fine. I can use...

        TOTP is an entirely different workflow, and the WebAuthn demo doesn't even work for me (never mind the implementation details). Emails (or Telegram messages) with a link work just fine. I can use the time I save by implementing actual useful features that add business value.

        1. emdash
          Link Parent
          It does depend on your application needs, but for many B2B applications, or anything that deals with SMBs, TOTP and quality security policies add significant business value.

          It does depend on your application needs, but for many B2B applications, or anything that deals with SMBs, TOTP and quality security policies add significant business value.

    2. json
      Link Parent
      I've recently done the same thing to prove email ownership but to avoid having explicit user accounts for letting someone come back to update their application form on this system. I've since made...

      My app implements auth purely email-basis: there are no passwords; you enter your email to to log in and you'll be sent a magic link.

      I've recently done the same thing to prove email ownership but to avoid having explicit user accounts for letting someone come back to update their application form on this system. I've since made it a 30 minute server generated TOTP code that gets emailed so the user doesn't end up with a tab for requesting the email and then another tab from the magic link.

      There was a reason for avoiding user accounts for these people but It'd take more background on the system to be able to explain why =/

      2 votes
  3. vaddi
    Link
    It seems people are getting dumber as technology advances. Weird effect...

    It seems people are getting dumber as technology advances. Weird effect...